Relax…it’s just the data of 22.5 million Malaysians leaking online

(Photo by Arif KARTONO / AFP)

While most organizations and governments around the world would scramble whenever a data breach occurs, the Malaysian government seems to be handling it at a very calm pace.

For most businesses, any data breach or data leak could result in huge financial loss to the organization and even damage its reputation. And in some cases, the recovered data might already have been tampered with, causing more worries for the people involved.

As millions of Malaysians fear their personal details may be falling into the wrong hands following an alleged data breach at the National Registration Department (NRD), the government has assured the public that the situation is not -be not as bad as it looks.

In fact, Malaysia’s Home Minister said that the alleged data leak containing information on 22.5 million Malaysians did not come from the NRD as there was a mechanism in place that could prove that the information disclosed did not come from the department.

Local technology portal Amanz originally reported that an allegedly NRD database about 160 GB in size was being sold for US$10,000 on the dark web. The data contained information on 22.5 million Malaysians born between 1940 and 2004.

This is not the first time that the BDNI has been violated. Last year, a database of around 4 million Malaysians from the NRD also made its way to forums on the dark web and was sold there.

While an investigation into the breach as well as inquiries are ongoing, many Malaysians are concerned about the state of cybersecurity in government agencies, particularly data leaks becoming more common.

Phillip Ivancic, APAC Head of Solutions Strategy, at Synopsys Software Integrity Group shares the same sentiments. For him, although the authorities have not yet confirmed the details, a massive data breach of the national identity database should be a serious concern for all Malaysians.

The type of information that would have been included in the data breach, such as national identity numbers, dates of birth, address, gender, religion and official passport photographs, could indeed be used by criminal groups to attempt to impersonate Malaysian citizens. Criminal groups may attempt to take out loans or commit other financial fraud using registered identity information.

“I’m sure the Malaysian authorities will provide official guidance, but I strongly encourage all Malaysians to change their passwords and, if they haven’t already, to ensure they have registered to receive alerts from official credit bureau sources to alert them if a loan buy now pay later or credit card is underwritten in their name Passwords should be as long as possible One tip I often recommends is to make your password a passphrase, for example, a short phrase that you will remember, like “I have 2 pet cats and 2 dogs” would make a strong password,” Ivancic commented. .

Meanwhile, Garrett O’Hara, Mimecast’s chief field technologist, believes the data leak could have been caused by many reasons. He explained that it depends on how the data breach happened and that at this stage there is not enough information.

“If it was through the myIDENTITY API, as has been suggested by various sources, there may be additional work needed to secure the API endpoints against unauthorized access, or may “be a limitation to avoid data collection. A thorough post-incident analysis can highlight the learnings needed to make an organization more cyber-resilient in the future,” O’Hara said.

O’Hara added that the NRD being unaware of the data leak is also a common occurrence. Many organizations do not realize they have had a data breach until they are notified by another organization. There are services to monitor the dark web for datasets or information related to a particular company or organization.

Often, the first time an organization learns that their data has been hacked is when they receive a phone call from someone who has found a dataset on an underground data brokerage platform.

General cybersecurity best practices would ensure that organizations employ strong technical security controls such as email, device, and web security, in addition to securing data access and handling processes, as well as security controls. ‘have well-trained staff on cybersecurity best practices,’ O’ Hara said.

This mitigates some of the data breach risks. Data leaks caused by a user deliberately or accidentally exfiltrating data through channels such as email, USB drives, or online storage tools can also be mitigated by data leak prevention tools. These tools examine data channels to detect accidental or unauthorized sending of data and can automatically block data before it becomes a breach situation.

That said, the Malaysian government may need to be a bit more careful when it comes to dealing with data leaks and breaches. While they may have the situation under control, they still need to be more vigilant and ensure that their digital assets and infrastructure are well protected against any cyber threats.

Comments are closed.